Starting to review and refactor mixer
Tal Moran
parent
63e26fdc16
commit
1baa567d8e
|
|
@ -5,7 +5,7 @@ import meerkat.crypto.mixnet.MixerOutput;
|
|||
import meerkat.protobuf.Crypto;
|
||||
import meerkat.mixer.necessary.AsyncBulletinBoardClient;
|
||||
import meerkat.mixer.necessary.CompleteBatch;
|
||||
import meerkat.mixer.verifier.VerifyTable;
|
||||
import meerkat.mixer.proofs.VerifyTable;
|
||||
|
||||
import java.util.Arrays;
|
||||
import java.util.List;
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
package meerkat.mixer.prover;
|
||||
package meerkat.mixer.proofs;
|
||||
|
||||
import com.google.protobuf.ByteString;
|
||||
import com.google.protobuf.InvalidProtocolBufferException;
|
||||
|
|
@ -11,9 +11,9 @@ import org.factcenter.qilin.primitives.concrete.ECGroup;
|
|||
/**
|
||||
* use for organize the input for each ZKP
|
||||
*
|
||||
* both meerkat.mixer.prover and meerkat.mixer.verifier implantation are using it
|
||||
* both meerkat.mixer.proofs and meerkat.mixer.verifier implementation use it
|
||||
*/
|
||||
public class ElGamalProofOrganizer {
|
||||
public class ECElGamalMixProof {
|
||||
|
||||
private final ECGroup group;
|
||||
private final ECPoint g;
|
||||
|
|
@ -26,7 +26,7 @@ public class ElGamalProofOrganizer {
|
|||
* @param g - generator of group
|
||||
* @param h - h = g ^ SecretKey
|
||||
*/
|
||||
public ElGamalProofOrganizer(ECGroup group, ECPoint g, ECPoint h){
|
||||
public ECElGamalMixProof(ECGroup group, ECPoint g, ECPoint h){
|
||||
this.group = group;
|
||||
this.g = g;
|
||||
this.h = h;
|
||||
|
|
@ -34,20 +34,16 @@ public class ElGamalProofOrganizer {
|
|||
this.hEncoded = group.encode(h);
|
||||
}
|
||||
|
||||
public enum OrProofOrder {
|
||||
first, second, third, fourth
|
||||
}
|
||||
|
||||
public enum TrueCouple {
|
||||
left, right, unknown
|
||||
}
|
||||
|
||||
/**
|
||||
* can be used by meerkat.mixer.prover only
|
||||
* can be used by meerkat.mixer.proofs only
|
||||
*
|
||||
* call to the meerkat.mixer.main overload with flag = true
|
||||
*/
|
||||
protected ElGamalProofInput createProofInput(Crypto.RerandomizableEncryptedMessage in1, Crypto.RerandomizableEncryptedMessage in2
|
||||
protected Statement createProofInput(Crypto.RerandomizableEncryptedMessage in1, Crypto.RerandomizableEncryptedMessage in2
|
||||
, Crypto.RerandomizableEncryptedMessage out1, Crypto.RerandomizableEncryptedMessage out2
|
||||
, Crypto.EncryptionRandomness r1, Crypto.EncryptionRandomness r2, boolean switched) throws InvalidProtocolBufferException {
|
||||
|
||||
|
|
@ -60,7 +56,7 @@ public class ElGamalProofOrganizer {
|
|||
*
|
||||
* call to the meerkat.mixer.main overload with flag = false
|
||||
*/
|
||||
public ElGamalProofInput createProofInput(Crypto.RerandomizableEncryptedMessage in1, Crypto.RerandomizableEncryptedMessage in2
|
||||
public Statement createProofInput(Crypto.RerandomizableEncryptedMessage in1, Crypto.RerandomizableEncryptedMessage in2
|
||||
, Crypto.RerandomizableEncryptedMessage out1, Crypto.RerandomizableEncryptedMessage out2) throws InvalidProtocolBufferException {
|
||||
|
||||
// flag = false;
|
||||
|
|
@ -71,14 +67,14 @@ public class ElGamalProofOrganizer {
|
|||
* inner method
|
||||
* convert each encrypted message to ElGamalCiphertext
|
||||
*
|
||||
* @param flag - true if called by meerkat.mixer.prover ( r1,r2,switched are known)
|
||||
* @param flag - true if called by meerkat.mixer.proofs ( r1,r2,switched are known)
|
||||
* @return ElGamalProofInput
|
||||
* @throws InvalidProtocolBufferException - in case that at least one of the encrypted messages isn't
|
||||
* ElGamalCiphertext
|
||||
*/
|
||||
private ElGamalProofInput createProofInput(Crypto.RerandomizableEncryptedMessage in1, Crypto.RerandomizableEncryptedMessage in2
|
||||
private Statement createProofInput(Crypto.RerandomizableEncryptedMessage in1, Crypto.RerandomizableEncryptedMessage in2
|
||||
, Crypto.RerandomizableEncryptedMessage out1, Crypto.RerandomizableEncryptedMessage out2
|
||||
, Crypto.EncryptionRandomness r1, Crypto.EncryptionRandomness r2, boolean switched,boolean flag)
|
||||
, Crypto.EncryptionRandomness r1, Crypto.EncryptionRandomness r2, boolean switched, boolean flag)
|
||||
throws InvalidProtocolBufferException {
|
||||
|
||||
//convert RerandomizableEncryptedMessage to ElGamalCiphertext
|
||||
|
|
@ -88,47 +84,70 @@ public class ElGamalProofOrganizer {
|
|||
ConcreteCrypto.ElGamalCiphertext out2ElGamal = ECElGamalEncryption.RerandomizableEncryptedMessage2ElGamalCiphertext(out2);
|
||||
|
||||
if(flag) {
|
||||
return new ElGamalProofInput(in1ElGamal, in2ElGamal, out1ElGamal, out2ElGamal, r1, r2, switched);
|
||||
return new Statement(in1ElGamal, in2ElGamal, out1ElGamal, out2ElGamal, r1, r2, switched);
|
||||
}else {
|
||||
return new ElGamalProofInput(in1ElGamal, in2ElGamal, out1ElGamal, out2ElGamal);
|
||||
return new Statement(in1ElGamal, in2ElGamal, out1ElGamal, out2ElGamal);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* can be construct by instance of organizer only by calling createProofInput method (all constructors are private)
|
||||
* Statement to be proved. The statement consists of the four substatements that are ORs of the DLOG equality.
|
||||
*
|
||||
* in construction it use for preparing the input for prove, while avoiding double converting or calculations
|
||||
* This can be constructed only by calling createProofInput method on an instance of ECElGamalMixProof (all constructors are private)
|
||||
*
|
||||
* in construction it is used for preparing the input for proving, while avoiding double converting or calculations
|
||||
*
|
||||
* use as a container for 4 OrProofInput.
|
||||
*/
|
||||
public class ElGamalProofInput {
|
||||
public class Statement {
|
||||
private final OrStatement first;
|
||||
private final OrStatement second;
|
||||
private final OrStatement third;
|
||||
private final OrStatement fourth;
|
||||
|
||||
private final OrProofInput first;
|
||||
private final OrProofInput second;
|
||||
private final OrProofInput third;
|
||||
private final OrProofInput fourth;
|
||||
|
||||
private ECPoint convert2ECPoint(ByteString bs){
|
||||
public OrStatement getFirst() {
|
||||
return first;
|
||||
}
|
||||
|
||||
public OrStatement getSecond() {
|
||||
return second;
|
||||
}
|
||||
|
||||
public OrStatement getThird() {
|
||||
return third;
|
||||
}
|
||||
|
||||
public OrStatement getFourth() {
|
||||
return fourth;
|
||||
}
|
||||
|
||||
/**
|
||||
* Decode from the serialized representation to an {@link ECPoint} object.
|
||||
* @param bs
|
||||
* @return
|
||||
*/
|
||||
private ECPoint decodeECPoint(ByteString bs){
|
||||
return group.decode(bs.toByteArray());
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* @param flag - true if called by meerkat.mixer.prover ( r1,r2,switched are known)
|
||||
* @param proving - true if called by meerkat.mixer.proofs ( r1,r2,switched are known)
|
||||
*/
|
||||
private ElGamalProofInput(ConcreteCrypto.ElGamalCiphertext e1, ConcreteCrypto.ElGamalCiphertext e2
|
||||
private Statement(ConcreteCrypto.ElGamalCiphertext e1, ConcreteCrypto.ElGamalCiphertext e2
|
||||
, ConcreteCrypto.ElGamalCiphertext e1New, ConcreteCrypto.ElGamalCiphertext e2New
|
||||
, Crypto.EncryptionRandomness r1, Crypto.EncryptionRandomness r2, boolean switched,boolean flag){
|
||||
, Crypto.EncryptionRandomness r1, Crypto.EncryptionRandomness r2, boolean switched, boolean proving){
|
||||
|
||||
ECPoint e1c1 = convert2ECPoint(e1.getC1());
|
||||
ECPoint e1c2 = convert2ECPoint(e1.getC2());
|
||||
ECPoint e2c1 = convert2ECPoint(e2.getC1());
|
||||
ECPoint e2c2 = convert2ECPoint(e2.getC2());
|
||||
ECPoint e1Nc1 = convert2ECPoint(e1New.getC1());
|
||||
ECPoint e1Nc2 = convert2ECPoint(e1New.getC2());
|
||||
ECPoint e2Nc1 = convert2ECPoint(e2New.getC1());
|
||||
ECPoint e2Nc2 = convert2ECPoint(e2New.getC2());
|
||||
ECPoint e1c1 = decodeECPoint(e1.getC1());
|
||||
ECPoint e1c2 = decodeECPoint(e1.getC2());
|
||||
ECPoint e2c1 = decodeECPoint(e2.getC1());
|
||||
ECPoint e2c2 = decodeECPoint(e2.getC2());
|
||||
ECPoint e1Nc1 = decodeECPoint(e1New.getC1());
|
||||
ECPoint e1Nc2 = decodeECPoint(e1New.getC2());
|
||||
ECPoint e2Nc1 = decodeECPoint(e2New.getC1());
|
||||
ECPoint e2Nc2 = decodeECPoint(e2New.getC2());
|
||||
|
||||
ECPoint c1_e1NDive1 = group.add(e1Nc1, group.negate(e1c1));
|
||||
ECPoint c1_e2NDive1 = group.add(e2Nc1, group.negate(e1c1));
|
||||
|
|
@ -141,14 +160,12 @@ public class ElGamalProofOrganizer {
|
|||
ECPoint c2_e2NDive2 = group.add(e2Nc2, group.negate(e2c2));
|
||||
|
||||
|
||||
if(!flag){
|
||||
|
||||
this.first = new OrProofInput(c1_e1NDive1,c2_e1NDive1,c1_e1NDive2,c2_e1NDive2);
|
||||
this.second = new OrProofInput(c1_e1NDive1,c2_e1NDive1,c1_e2NDive1,c2_e2NDive1);
|
||||
this.third = new OrProofInput(c1_e1NDive2,c2_e1NDive2,c1_e2NDive2,c2_e2NDive2);
|
||||
this.fourth = new OrProofInput(c1_e2NDive1,c2_e2NDive1,c1_e2NDive2,c2_e2NDive2);
|
||||
|
||||
}else {
|
||||
if(!proving) {
|
||||
this.first = new OrStatement(c1_e1NDive1,c2_e1NDive1,c1_e1NDive2,c2_e1NDive2);
|
||||
this.second = new OrStatement(c1_e1NDive1,c2_e1NDive1,c1_e2NDive1,c2_e2NDive1);
|
||||
this.third = new OrStatement(c1_e1NDive2,c2_e1NDive2,c1_e2NDive2,c2_e2NDive2);
|
||||
this.fourth = new OrStatement(c1_e2NDive1,c2_e2NDive1,c1_e2NDive2,c2_e2NDive2);
|
||||
} else {
|
||||
|
||||
byte[] c1_e1NDive1Encoded = group.encode(c1_e1NDive1);
|
||||
byte[] c1_e2NDive1Encoded = group.encode(c1_e2NDive1);
|
||||
|
|
@ -161,29 +178,29 @@ public class ElGamalProofOrganizer {
|
|||
|
||||
|
||||
if (!switched) {
|
||||
this.first = new OrProofInput(c1_e1NDive1, c2_e1NDive1, c1_e1NDive2, c2_e1NDive2
|
||||
this.first = new OrStatement(c1_e1NDive1, c2_e1NDive1, c1_e1NDive2, c2_e1NDive2
|
||||
, c1_e1NDive1Encoded, c2_e1NDive1Encoded, c1_e1NDive2Encoded, c2_e1NDive2Encoded
|
||||
, r1, TrueCouple.left);
|
||||
this.second = new OrProofInput(c1_e1NDive1, c2_e1NDive1, c1_e2NDive1, c2_e2NDive1
|
||||
this.second = new OrStatement(c1_e1NDive1, c2_e1NDive1, c1_e2NDive1, c2_e2NDive1
|
||||
, c1_e1NDive1Encoded, c2_e1NDive1Encoded, c1_e2NDive1Encoded, c2_e2NDive1Encoded
|
||||
, r1, TrueCouple.left);
|
||||
this.third = new OrProofInput(c1_e1NDive2, c2_e1NDive2, c1_e2NDive2, c2_e2NDive2
|
||||
this.third = new OrStatement(c1_e1NDive2, c2_e1NDive2, c1_e2NDive2, c2_e2NDive2
|
||||
, c1_e1NDive2Encoded, c2_e1NDive2Encoded, c1_e2NDive2Encoded, c2_e2NDive2Encoded
|
||||
, r2, TrueCouple.right);
|
||||
this.fourth = new OrProofInput(c1_e2NDive1, c2_e2NDive1, c1_e2NDive2, c2_e2NDive2
|
||||
this.fourth = new OrStatement(c1_e2NDive1, c2_e2NDive1, c1_e2NDive2, c2_e2NDive2
|
||||
, c1_e2NDive1Encoded, c2_e2NDive1Encoded, c1_e2NDive2Encoded, c2_e2NDive2Encoded
|
||||
, r2, TrueCouple.right);
|
||||
} else {
|
||||
this.first = new OrProofInput(c1_e1NDive1, c2_e1NDive1, c1_e1NDive2, c2_e1NDive2
|
||||
this.first = new OrStatement(c1_e1NDive1, c2_e1NDive1, c1_e1NDive2, c2_e1NDive2
|
||||
, c1_e1NDive1Encoded, c2_e1NDive1Encoded, c1_e1NDive2Encoded, c2_e1NDive2Encoded
|
||||
, r2, TrueCouple.right);
|
||||
this.second = new OrProofInput(c1_e1NDive1, c2_e1NDive1, c1_e2NDive1, c2_e2NDive1
|
||||
this.second = new OrStatement(c1_e1NDive1, c2_e1NDive1, c1_e2NDive1, c2_e2NDive1
|
||||
, c1_e1NDive1Encoded, c2_e1NDive1Encoded, c1_e2NDive1Encoded, c2_e2NDive1Encoded
|
||||
, r1, TrueCouple.right);
|
||||
this.third = new OrProofInput(c1_e1NDive2, c2_e1NDive2, c1_e2NDive2, c2_e2NDive2
|
||||
this.third = new OrStatement(c1_e1NDive2, c2_e1NDive2, c1_e2NDive2, c2_e2NDive2
|
||||
, c1_e1NDive2Encoded, c2_e1NDive2Encoded, c1_e2NDive2Encoded, c2_e2NDive2Encoded
|
||||
, r2, TrueCouple.left);
|
||||
this.fourth = new OrProofInput(c1_e2NDive1, c2_e2NDive1, c1_e2NDive2, c2_e2NDive2
|
||||
this.fourth = new OrStatement(c1_e2NDive1, c2_e2NDive1, c1_e2NDive2, c2_e2NDive2
|
||||
, c1_e2NDive1Encoded, c2_e2NDive1Encoded, c1_e2NDive2Encoded, c2_e2NDive2Encoded
|
||||
, r1, TrueCouple.left);
|
||||
}
|
||||
|
|
@ -192,57 +209,38 @@ public class ElGamalProofOrganizer {
|
|||
|
||||
|
||||
/**
|
||||
* used by the meerkat.mixer.prover
|
||||
* call to the meerkat.mixer.main constructor with flag = true
|
||||
* used by the meerkat.mixer.proofs
|
||||
* call to the meerkat.mixer.main constructor with proving = true
|
||||
*/
|
||||
private ElGamalProofInput(ConcreteCrypto.ElGamalCiphertext e1, ConcreteCrypto.ElGamalCiphertext e2
|
||||
private Statement(ConcreteCrypto.ElGamalCiphertext e1, ConcreteCrypto.ElGamalCiphertext e2
|
||||
, ConcreteCrypto.ElGamalCiphertext e1New, ConcreteCrypto.ElGamalCiphertext e2New
|
||||
, Crypto.EncryptionRandomness r1, Crypto.EncryptionRandomness r2, boolean switched){
|
||||
//flag = true;
|
||||
//proving = true;
|
||||
this(e1,e2,e1New,e2New,r1,r2,switched,true);
|
||||
}
|
||||
|
||||
/**
|
||||
* used by meerkat.mixer.prover
|
||||
* call to the meerkat.mixer.main constructor with flag = true
|
||||
* used by meerkat.mixer.proofs
|
||||
* call to the meerkat.mixer.main constructor with proving = false
|
||||
*/
|
||||
private ElGamalProofInput(ConcreteCrypto.ElGamalCiphertext e1, ConcreteCrypto.ElGamalCiphertext e2
|
||||
private Statement(ConcreteCrypto.ElGamalCiphertext e1, ConcreteCrypto.ElGamalCiphertext e2
|
||||
, ConcreteCrypto.ElGamalCiphertext e1New, ConcreteCrypto.ElGamalCiphertext e2New){
|
||||
//flag = false;
|
||||
//proving = false;
|
||||
this(e1,e2,e1New,e2New,null,null,false,false);
|
||||
}
|
||||
|
||||
/**
|
||||
* getter for all 4 OrProofInputs
|
||||
*
|
||||
* @param orProofOrder
|
||||
* @return the required OrProof
|
||||
*/
|
||||
public OrProofInput getOrProofInput(OrProofOrder orProofOrder) {
|
||||
switch (orProofOrder) {
|
||||
|
||||
case first:
|
||||
return this.first;
|
||||
case second:
|
||||
return this.second;
|
||||
case third:
|
||||
return this.third;
|
||||
case fourth:
|
||||
return this.fourth;
|
||||
}
|
||||
return null;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* can't be constructed (all constructors are private)
|
||||
* The statement of a single disjunction to be proved:
|
||||
* Either there exists x s.t (g1 ^ x == h1 and g2 ^ x == h2) or there exists x s.t. (g1' ^ x == h1 and g2' ^ x == h2)
|
||||
*
|
||||
* 4 instances will be constructed for each new ElGamalProofInput
|
||||
* The statement can't be constructed externally (all constructors are private)
|
||||
*
|
||||
* 4 instances will be constructed for each new {@link ECElGamalMixProof.Statement}
|
||||
*
|
||||
* container for all meerkat.mixer.necessary inputs for single OrProof
|
||||
*/
|
||||
public class OrProofInput{
|
||||
public class OrStatement {
|
||||
public final ECPoint g1;
|
||||
public final ECPoint h1;
|
||||
public final ECPoint g2;
|
||||
|
|
@ -252,7 +250,7 @@ public class ElGamalProofOrganizer {
|
|||
public final ECPoint g2Tag;
|
||||
public final ECPoint h2Tag;
|
||||
|
||||
// can be access by meerkat.mixer.prover only
|
||||
// can be access by meerkat.mixer.proofs only
|
||||
protected final byte[] g1Encoded;
|
||||
protected final byte[] h1Encoded;
|
||||
protected final byte[] g2Encoded;
|
||||
|
|
@ -265,10 +263,10 @@ public class ElGamalProofOrganizer {
|
|||
protected final TrueCouple flag;
|
||||
|
||||
/**
|
||||
* used by meerkat.mixer.prover only
|
||||
* used by meerkat.mixer.proofs only
|
||||
*/
|
||||
private OrProofInput(ECPoint h1, ECPoint h2, ECPoint h1Tag, ECPoint h2Tag
|
||||
,byte[] h1Encoded, byte[] h2Encoded, byte[] h1TagEncoded, byte[] h2TagEncoded
|
||||
private OrStatement(ECPoint h1, ECPoint h2, ECPoint h1Tag, ECPoint h2Tag
|
||||
, byte[] h1Encoded, byte[] h2Encoded, byte[] h1TagEncoded, byte[] h2TagEncoded
|
||||
, Crypto.EncryptionRandomness x, TrueCouple flag) {
|
||||
this.g1 = g;
|
||||
this.h1 = h1;
|
||||
|
|
@ -296,7 +294,7 @@ public class ElGamalProofOrganizer {
|
|||
/**
|
||||
* used by meerkat.mixer.verifier
|
||||
*/
|
||||
private OrProofInput(ECPoint h1, ECPoint h2, ECPoint h1Tag, ECPoint h2Tag) {
|
||||
private OrStatement(ECPoint h1, ECPoint h2, ECPoint h1Tag, ECPoint h2Tag) {
|
||||
this(h1,h2,h1Tag,h2Tag,null,null,null,null,null,TrueCouple.unknown);
|
||||
}
|
||||
}
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
package meerkat.mixer.prover;
|
||||
package meerkat.mixer.proofs;
|
||||
|
||||
import com.google.protobuf.ByteString;
|
||||
import com.google.protobuf.InvalidProtocolBufferException;
|
||||
|
|
@ -26,7 +26,7 @@ public class Prover implements Mix2ZeroKnowledgeProver {
|
|||
private final ECElGamalEncryption encryptor;
|
||||
private final ECPoint g,h;
|
||||
private final BigInteger groupOrderUpperBound;
|
||||
private final ElGamalProofOrganizer organizer;
|
||||
private final ECElGamalMixProof organizer;
|
||||
|
||||
/**
|
||||
* @param rand
|
||||
|
|
@ -41,7 +41,7 @@ public class Prover implements Mix2ZeroKnowledgeProver {
|
|||
this.group = this.encryptor.getGroup();
|
||||
this.g = group.getGenerator();
|
||||
this.h = this.encryptor.getElGamalPK().getPK();
|
||||
this.organizer = new ElGamalProofOrganizer(group,g,h);
|
||||
this.organizer = new ECElGamalMixProof(group,g,h);
|
||||
this.groupOrderUpperBound = group.orderUpperBound();
|
||||
}
|
||||
|
||||
|
|
@ -68,12 +68,12 @@ public class Prover implements Mix2ZeroKnowledgeProver {
|
|||
Crypto.EncryptionRandomness r2) throws InvalidProtocolBufferException {
|
||||
Mixing.ZeroKnowledgeProof.OrProof first,second,third,fourth;
|
||||
|
||||
ElGamalProofOrganizer.ElGamalProofInput input = organizer.createProofInput(in1,in2,out1,out2,r1,r2,sw);
|
||||
ECElGamalMixProof.Statement statement = organizer.createProofInput(in1,in2,out1,out2,r1,r2,sw);
|
||||
|
||||
first = createOrProofElGamal(input.getOrProofInput(ElGamalProofOrganizer.OrProofOrder.first));
|
||||
second = createOrProofElGamal(input.getOrProofInput(ElGamalProofOrganizer.OrProofOrder.second));
|
||||
third = createOrProofElGamal(input.getOrProofInput(ElGamalProofOrganizer.OrProofOrder.third));
|
||||
fourth = createOrProofElGamal(input.getOrProofInput(ElGamalProofOrganizer.OrProofOrder.fourth));
|
||||
first = createOrProofElGamal(statement.getFirst());
|
||||
second = createOrProofElGamal(statement.getSecond());
|
||||
third = createOrProofElGamal(statement.getThird());
|
||||
fourth = createOrProofElGamal(statement.getFourth());
|
||||
|
||||
Mixing.ZeroKnowledgeProof.Location location = Mixing.ZeroKnowledgeProof.Location.newBuilder()
|
||||
.setI(i)
|
||||
|
|
@ -94,7 +94,7 @@ public class Prover implements Mix2ZeroKnowledgeProver {
|
|||
|
||||
/**
|
||||
* Fiat–Shamir heuristic
|
||||
* @param input - protobuf contains all parameters from the first step of the current prove
|
||||
* @param input - protobuf contains all parameters from the first step of the current proof
|
||||
* @param randomOracle
|
||||
* @return randomOracle.hash(input)
|
||||
*/
|
||||
|
|
@ -105,21 +105,21 @@ public class Prover implements Mix2ZeroKnowledgeProver {
|
|||
|
||||
|
||||
/**
|
||||
* @param orProofInput
|
||||
* @param orStatement
|
||||
* @return ZKP OrProof: there exists x s.t (g1 ^ x == h1 and g2 ^ x == h2) or (g1' ^ x == h1 and g2' ^ x == h2)
|
||||
* assuming DLog is hard in this.group then that proves x is known for the meerkat.mixer.prover
|
||||
* assuming DLog is hard in this.group then that proves x is known for the meerkat.mixer.proofs
|
||||
*/
|
||||
private Mixing.ZeroKnowledgeProof.OrProof createOrProofElGamal(ElGamalProofOrganizer.OrProofInput orProofInput) {
|
||||
private Mixing.ZeroKnowledgeProof.OrProof createOrProofElGamal(ECElGamalMixProof.OrStatement orStatement) {
|
||||
|
||||
ECPoint g1 = orProofInput.g1;
|
||||
ECPoint h1 = orProofInput.h1;
|
||||
ECPoint g2 = orProofInput.g2;
|
||||
ECPoint h2 = orProofInput.h2;
|
||||
ECPoint g1 = orStatement.g1;
|
||||
ECPoint h1 = orStatement.h1;
|
||||
ECPoint g2 = orStatement.g2;
|
||||
ECPoint h2 = orStatement.h2;
|
||||
|
||||
ECPoint g1Tag = orProofInput.g1Tag;
|
||||
ECPoint h1Tag = orProofInput.h1Tag;
|
||||
ECPoint g2Tag = orProofInput.g2Tag;
|
||||
ECPoint h2Tag = orProofInput.h2Tag;
|
||||
ECPoint g1Tag = orStatement.g1Tag;
|
||||
ECPoint h1Tag = orStatement.h1Tag;
|
||||
ECPoint g2Tag = orStatement.g2Tag;
|
||||
ECPoint h2Tag = orStatement.h2Tag;
|
||||
|
||||
BigInteger r = encryptor.extractRandomness(encryptor.generateRandomness(rand)).mod(groupOrderUpperBound);
|
||||
BigInteger c1,c2,z,zTag;
|
||||
|
|
@ -127,7 +127,7 @@ public class Prover implements Mix2ZeroKnowledgeProver {
|
|||
Mixing.ZeroKnowledgeProof.OrProof.ForRandomOracle forRandomOracle;
|
||||
|
||||
|
||||
switch (orProofInput.flag) {
|
||||
switch (orStatement.flag) {
|
||||
case left:
|
||||
c2 = encryptor.extractRandomness(encryptor.generateRandomness(rand)).mod(groupOrderUpperBound);
|
||||
zTag = encryptor.extractRandomness(encryptor.generateRandomness(rand)).mod(groupOrderUpperBound);
|
||||
|
|
@ -140,14 +140,14 @@ public class Prover implements Mix2ZeroKnowledgeProver {
|
|||
// c1 = (hash(input + step1) + group size - c2)% group size
|
||||
forRandomOracle =
|
||||
Mixing.ZeroKnowledgeProof.OrProof.ForRandomOracle.newBuilder()
|
||||
.setG1(ByteString.copyFrom(orProofInput.g1Encoded))
|
||||
.setH1(ByteString.copyFrom(orProofInput.h1Encoded))
|
||||
.setG2(ByteString.copyFrom(orProofInput.g2Encoded))
|
||||
.setH2(ByteString.copyFrom(orProofInput.h2Encoded))
|
||||
.setG1Tag(ByteString.copyFrom(orProofInput.g1TagEncoded))
|
||||
.setH1Tag(ByteString.copyFrom(orProofInput.h1TagEncoded))
|
||||
.setG2Tag(ByteString.copyFrom(orProofInput.g2TagEncoded))
|
||||
.setH2Tag(ByteString.copyFrom(orProofInput.h2TagEncoded))
|
||||
.setG1(ByteString.copyFrom(orStatement.g1Encoded))
|
||||
.setH1(ByteString.copyFrom(orStatement.h1Encoded))
|
||||
.setG2(ByteString.copyFrom(orStatement.g2Encoded))
|
||||
.setH2(ByteString.copyFrom(orStatement.h2Encoded))
|
||||
.setG1Tag(ByteString.copyFrom(orStatement.g1TagEncoded))
|
||||
.setH1Tag(ByteString.copyFrom(orStatement.h1TagEncoded))
|
||||
.setG2Tag(ByteString.copyFrom(orStatement.g2TagEncoded))
|
||||
.setH2Tag(ByteString.copyFrom(orStatement.h2TagEncoded))
|
||||
.setU(ByteString.copyFrom(group.encode(u)))
|
||||
.setV(ByteString.copyFrom(group.encode(v)))
|
||||
.setUTag(ByteString.copyFrom(group.encode(uTag)))
|
||||
|
|
@ -156,7 +156,7 @@ public class Prover implements Mix2ZeroKnowledgeProver {
|
|||
c1 = hash(forRandomOracle,randomOracle).add(group.orderUpperBound().subtract(c2)).mod(groupOrderUpperBound);
|
||||
//step 3
|
||||
//z = (r + c1 * x) % group size;
|
||||
z = r.add(c1.multiply(encryptor.extractRandomness(orProofInput.x))).mod(groupOrderUpperBound);
|
||||
z = r.add(c1.multiply(encryptor.extractRandomness(orStatement.x))).mod(groupOrderUpperBound);
|
||||
break;
|
||||
case right:
|
||||
c1 = encryptor.extractRandomness(encryptor.generateRandomness(rand)).mod(groupOrderUpperBound);
|
||||
|
|
@ -170,14 +170,14 @@ public class Prover implements Mix2ZeroKnowledgeProver {
|
|||
// c1 = (hash(input + step1) + group size - c1)% group size
|
||||
forRandomOracle =
|
||||
Mixing.ZeroKnowledgeProof.OrProof.ForRandomOracle.newBuilder()
|
||||
.setG1(ByteString.copyFrom(orProofInput.g1Encoded))
|
||||
.setH1(ByteString.copyFrom(orProofInput.h1Encoded))
|
||||
.setG2(ByteString.copyFrom(orProofInput.g2Encoded))
|
||||
.setH2(ByteString.copyFrom(orProofInput.h2Encoded))
|
||||
.setG1Tag(ByteString.copyFrom(orProofInput.g1TagEncoded))
|
||||
.setH1Tag(ByteString.copyFrom(orProofInput.h1TagEncoded))
|
||||
.setG2Tag(ByteString.copyFrom(orProofInput.g2TagEncoded))
|
||||
.setH2Tag(ByteString.copyFrom(orProofInput.h2TagEncoded))
|
||||
.setG1(ByteString.copyFrom(orStatement.g1Encoded))
|
||||
.setH1(ByteString.copyFrom(orStatement.h1Encoded))
|
||||
.setG2(ByteString.copyFrom(orStatement.g2Encoded))
|
||||
.setH2(ByteString.copyFrom(orStatement.h2Encoded))
|
||||
.setG1Tag(ByteString.copyFrom(orStatement.g1TagEncoded))
|
||||
.setH1Tag(ByteString.copyFrom(orStatement.h1TagEncoded))
|
||||
.setG2Tag(ByteString.copyFrom(orStatement.g2TagEncoded))
|
||||
.setH2Tag(ByteString.copyFrom(orStatement.h2TagEncoded))
|
||||
.setU(ByteString.copyFrom(group.encode(u)))
|
||||
.setV(ByteString.copyFrom(group.encode(v)))
|
||||
.setUTag(ByteString.copyFrom(group.encode(uTag)))
|
||||
|
|
@ -186,7 +186,7 @@ public class Prover implements Mix2ZeroKnowledgeProver {
|
|||
c2 = hash(forRandomOracle,randomOracle).add(group.orderUpperBound().subtract(c1)).mod(groupOrderUpperBound);
|
||||
//step 3
|
||||
//zTag = (r + c2 * x) % group size;
|
||||
zTag = r.add(c2.multiply(encryptor.extractRandomness(orProofInput.x))).mod(groupOrderUpperBound);
|
||||
zTag = r.add(c2.multiply(encryptor.extractRandomness(orStatement.x))).mod(groupOrderUpperBound);
|
||||
break;
|
||||
default:
|
||||
return null;
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
package meerkat.mixer.verifier;
|
||||
package meerkat.mixer.proofs;
|
||||
|
||||
import com.google.protobuf.InvalidProtocolBufferException;
|
||||
import meerkat.crypto.concrete.ECElGamalEncryption;
|
||||
|
|
@ -6,8 +6,6 @@ import meerkat.crypto.mixnet.Mix2ZeroKnowledgeVerifier;
|
|||
import meerkat.protobuf.Crypto;
|
||||
import meerkat.protobuf.Mixing;
|
||||
import org.bouncycastle.math.ec.ECPoint;
|
||||
import meerkat.mixer.prover.ElGamalProofOrganizer;
|
||||
import meerkat.mixer.prover.Prover;
|
||||
import org.factcenter.qilin.primitives.RandomOracle;
|
||||
import org.factcenter.qilin.primitives.concrete.ECGroup;
|
||||
|
||||
|
|
@ -20,20 +18,20 @@ public class Verifier implements Mix2ZeroKnowledgeVerifier {
|
|||
private final ECGroup group;
|
||||
private final RandomOracle randomOracle;
|
||||
private final ECPoint g,h;
|
||||
private final ElGamalProofOrganizer organizer;
|
||||
private final ECElGamalMixProof organizer;
|
||||
private final ZeroKnowledgeOrProofParser parser;
|
||||
|
||||
/**
|
||||
* constructor
|
||||
* @param encryptor should be as the encryptor used by meerkat.mixer.prover
|
||||
* @param randomOracle should be as the random oracle used by meerkat.mixer.prover
|
||||
* @param encryptor should be as the encryptor used by meerkat.mixer.proofs
|
||||
* @param randomOracle should be as the random oracle used by meerkat.mixer.proofs
|
||||
*/
|
||||
public Verifier(ECElGamalEncryption encryptor, RandomOracle randomOracle) {
|
||||
this.group = encryptor.getGroup();
|
||||
this.g = group.getGenerator();
|
||||
this.h = encryptor.getElGamalPK().getPK();
|
||||
this.randomOracle = randomOracle;
|
||||
this.organizer = new ElGamalProofOrganizer(group,g,h);
|
||||
this.organizer = new ECElGamalMixProof(group,g,h);
|
||||
this.parser = new ZeroKnowledgeOrProofParser(group);
|
||||
}
|
||||
|
||||
|
|
@ -54,32 +52,32 @@ public class Verifier implements Mix2ZeroKnowledgeVerifier {
|
|||
Crypto.RerandomizableEncryptedMessage out1,
|
||||
Crypto.RerandomizableEncryptedMessage out2,
|
||||
Mixing.ZeroKnowledgeProof proof) throws InvalidProtocolBufferException {
|
||||
ElGamalProofOrganizer.ElGamalProofInput input = organizer.createProofInput(in1,in2,out1,out2);
|
||||
return verifyElGamaOrProof(input.getOrProofInput(ElGamalProofOrganizer.OrProofOrder.first), proof.getFirst())&&
|
||||
verifyElGamaOrProof(input.getOrProofInput(ElGamalProofOrganizer.OrProofOrder.second), proof.getSecond())&&
|
||||
verifyElGamaOrProof(input.getOrProofInput(ElGamalProofOrganizer.OrProofOrder.third), proof.getThird())&&
|
||||
verifyElGamaOrProof(input.getOrProofInput(ElGamalProofOrganizer.OrProofOrder.fourth), proof.getFourth());
|
||||
ECElGamalMixProof.Statement statement = organizer.createProofInput(in1,in2,out1,out2);
|
||||
return verifyElGamaOrProof(statement.getFirst(), proof.getFirst())&&
|
||||
verifyElGamaOrProof(statement.getSecond(), proof.getSecond())&&
|
||||
verifyElGamaOrProof(statement.getThird(), proof.getThird())&&
|
||||
verifyElGamaOrProof(statement.getFourth(), proof.getFourth());
|
||||
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
*
|
||||
* @param orProofInput
|
||||
* @param orStatement
|
||||
* @param orProof
|
||||
* @return verify single or proof
|
||||
*/
|
||||
private boolean verifyElGamaOrProof(ElGamalProofOrganizer.OrProofInput orProofInput,
|
||||
private boolean verifyElGamaOrProof(ECElGamalMixProof.OrStatement orStatement,
|
||||
Mixing.ZeroKnowledgeProof.OrProof orProof) {
|
||||
ZeroKnowledgeOrProofParser.ZeroKnowledgeOrProofContainer container = parser.parseOrProof(orProof);
|
||||
return container.g1.equals(orProofInput.g1) &&
|
||||
container.h1.equals(orProofInput.h1) &&
|
||||
container.g2.equals(orProofInput.g2) &&
|
||||
container.h2.equals(orProofInput.h2) &&
|
||||
container.g1Tag.equals(orProofInput.g1Tag) &&
|
||||
container.h1Tag.equals(orProofInput.h1Tag) &&
|
||||
container.g2Tag.equals(orProofInput.g2Tag) &&
|
||||
container.h2Tag.equals(orProofInput.h2Tag) &&
|
||||
return container.g1.equals(orStatement.g1) &&
|
||||
container.h1.equals(orStatement.h1) &&
|
||||
container.g2.equals(orStatement.g2) &&
|
||||
container.h2.equals(orStatement.h2) &&
|
||||
container.g1Tag.equals(orStatement.g1Tag) &&
|
||||
container.h1Tag.equals(orStatement.h1Tag) &&
|
||||
container.g2Tag.equals(orStatement.g2Tag) &&
|
||||
container.h2Tag.equals(orStatement.h2Tag) &&
|
||||
container.c1.add(container.c2).mod(group.orderUpperBound())
|
||||
.equals(Prover.hash(container.forRandomOracle,randomOracle).mod(group.orderUpperBound())) &&
|
||||
group.multiply(container.g1, container.z)
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
package meerkat.mixer.verifier;
|
||||
package meerkat.mixer.proofs;
|
||||
|
||||
import com.google.protobuf.InvalidProtocolBufferException;
|
||||
import meerkat.crypto.mixnet.Mix2ZeroKnowledgeVerifier;
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
package meerkat.mixer.verifier;
|
||||
package meerkat.mixer.proofs;
|
||||
|
||||
import com.google.protobuf.ByteString;
|
||||
import meerkat.protobuf.Mixing;
|
||||
|
|
@ -5,9 +5,9 @@ import meerkat.crypto.mixnet.Mix2ZeroKnowledgeProver;
|
|||
import meerkat.crypto.mixnet.Mix2ZeroKnowledgeVerifier;
|
||||
import meerkat.mixer.mixing.Mixer;
|
||||
import meerkat.mixer.mixing.MixerOutput;
|
||||
import meerkat.mixer.prover.Prover;
|
||||
import meerkat.mixer.verifier.Verifier;
|
||||
import meerkat.mixer.verifier.VerifyTable;
|
||||
import meerkat.mixer.proofs.Prover;
|
||||
import meerkat.mixer.proofs.Verifier;
|
||||
import meerkat.mixer.proofs.VerifyTable;
|
||||
import meerkat.protobuf.Crypto;
|
||||
import meerkat.protobuf.Voting;
|
||||
import org.factcenter.qilin.primitives.RandomOracle;
|
||||
|
|
|
|||
|
|
@ -8,9 +8,9 @@ import com.google.protobuf.InvalidProtocolBufferException;
|
|||
import meerkat.crypto.concrete.ECElGamalEncryption;
|
||||
import meerkat.crypto.mixnet.Mix2ZeroKnowledgeVerifier;
|
||||
import meerkat.mixer.mixing.Mixer;
|
||||
import meerkat.mixer.prover.Prover;
|
||||
import meerkat.mixer.verifier.Verifier;
|
||||
import meerkat.mixer.verifier.VerifyTable;
|
||||
import meerkat.mixer.proofs.Prover;
|
||||
import meerkat.mixer.proofs.Verifier;
|
||||
import meerkat.mixer.proofs.VerifyTable;
|
||||
import meerkat.protobuf.Crypto;
|
||||
import meerkat.protobuf.Voting;
|
||||
import org.factcenter.qilin.primitives.RandomOracle;
|
||||
|
|
|
|||
|
|
@ -5,8 +5,8 @@ import com.google.protobuf.InvalidProtocolBufferException;
|
|||
import meerkat.crypto.concrete.ECElGamalEncryption;
|
||||
import meerkat.crypto.mixnet.Mix2ZeroKnowledgeProver;
|
||||
import meerkat.crypto.mixnet.Mix2ZeroKnowledgeVerifier;
|
||||
import meerkat.mixer.prover.Prover;
|
||||
import meerkat.mixer.verifier.Verifier;
|
||||
import meerkat.mixer.proofs.Prover;
|
||||
import meerkat.mixer.proofs.Verifier;
|
||||
import meerkat.protobuf.ConcreteCrypto;
|
||||
import meerkat.protobuf.Crypto;
|
||||
import meerkat.protobuf.Voting;
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@ import com.google.protobuf.ByteString;
|
|||
import com.google.protobuf.InvalidProtocolBufferException;
|
||||
import meerkat.crypto.concrete.ECElGamalEncryption;
|
||||
import meerkat.crypto.mixnet.Mix2ZeroKnowledgeProver;
|
||||
import meerkat.mixer.prover.Prover;
|
||||
import meerkat.mixer.proofs.Prover;
|
||||
import meerkat.protobuf.ConcreteCrypto;
|
||||
import meerkat.protobuf.Crypto;
|
||||
import meerkat.protobuf.Voting;
|
||||
|
|
|
|||
Loading…
Reference in New Issue